Web Application Firewall (WAF) is integrated with Log Service to provide the Log Service for WAF feature. The feature collects and stores access logs and protection logs of protected objects in WAF. You can use this feature to query and analyze logs, configure charts, configure alert rules, and deliver logs to downstream services for consumption. This feature allows you to focus more on log analysis. The protected objects can be domain names and cloud service instances.

Intended users

  • Large-scale enterprises and organizations, such as financial entities and public service sectors that need to meet log storage requirements. The logs include host, network, and security logs of various assets in the cloud.
  • Organizations, such as large-scale real estate, e-commerce, financial entities, and public service sectors that have security operations centers (SOCs) and want to collect and manage security and alert logs in a centralized manner.
  • Enterprises with advanced technologies, such as companies in the IT, gaming, or financial industry, which require in-depth analysis on logs collected from various assets in the cloud and automated alert handling.
  • All users who need to trace business security events and generate weekly, monthly, and yearly reports, or users who need to meet classified protection requirements (MLPS level 3 or higher).


  • Trace web attack logs and identify the source of security threats.
  • View requests and query the request status and trends.
  • Obtain information about the efficiency of security operations and respond to issues at the earliest opportunity.
  • Generate and deliver security network logs to self-managed data and computing centers.


  • Compliance audits: This feature allows you to store website access logs for more than six months to meet classified protection requirements.
  • Flexible configuration:
    • This feature allows you to collect and store web access and protection logs with a few clicks.
    • This feature allows you to configure log fields, the log type, and the protected objects whose logs you want to collect.
    • This feature allows you to modify existing report templates or create custom report templates based on your business or security requirements. This way, you can understand the security posture of your website workloads.
  • Real-time log analysis: WAF provides the real-time log analysis feature and an out-of-the-box (OOTB) report center, and supports interactive data mining. This allows you to identify and analyze various attacks on your website and access details in real time.
  • Real-time alerting: You can customize monitoring and alert rules based on specific metrics. This way, you can respond to exceptions that occur in critical services at the earliest opportunity.
  • Collaboration: You can use this feature together with other data solutions such as real-time computing, cloud storage, and visualization to further explore the value of data.


The Log Service for WAF feature is a paid feature and uses the pay-as-you-go billing method. The fees of the Log Service for WAF feature are included in the bills of Log Service and are not included in the bills of WAF. For more information, see Pay-as-you-go.

By default, the Log Service for WAF feature is disabled. To use the Log Service for WAF feature, you must enable the feature. For more information, see Enable the Log Service for WAF feature.


Feature Description
Log configuration After you enable the Log Service for WAF feature, you can enable log collection for protected objects. Only after log collection is enabled for a protected object, WAF can collect and store the logs of the protected object. For more information about the fields that are included in WAF logs, see Fields in logs. For more information about how to enable log collection for a protected object, see Log collection.

You can modify log settings, such as the fields that are included in logs and the type of logs that you want to store. The log types are Full Log and Block Log. For more information, see Field settings.

Log query You can use query statements to query and analyze collected logs. For more information, see Query logs.

You can create alert rules based on query statements. After you create an alert rule, Log Service checks query and analysis results on a regular basis. If the query and analysis results meet a trigger condition that you specify in the alert rule, Log Service sends an alert notification. This allows you to monitor your service status in real time. For more information, see Configure an alert in Log Service.